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ABSTRACT 



This thesis presents an implementation of 
multiprogramming and process management functions for the 
security kernel of a distributed multiprocessor system. The 
implementation is based on a family of operating systems 
designed to provide controlled access in a microcomputer 
network to data bases containing multiple levels of 
sensitive information. 

I^ul tiproeramming improves system efficiency and creates 
a virtual environment which frees the remainder of the 
operating system from a dependence on processor 
configuration. Processor management coordinates the 
asynchronous interaction of system processes. 

This implementation describes a processor multiplexing 
technique for a distributed kernel and presents a virtual 
interrupt mechanism. Its structure is loop free to permit 
future expansion into more complex members of the design 
family. 
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I. INTRODUCTION 



The application of contemporary microprocessor 
technology to the design of large-scale multiple processor 
systems offers many potential benefits. The cost of 
high-power computer systems could be reduced drastically* 
fault tolerance in critical real-time systems could be 
improved? and computer services could be applied in areas 
where their use is not now cost effective. Desi^nin^ such 
systems presents many formidable problems that have not been 
solved by the specialized single processor systems available 
today . 

Specifically, there is an increasing demand for computer 
systems that provide protected storage and controlled access 
for sensitive information to be shared among a wide range of 
users. Data controlled by the Privacy Act, classified 
Department of Defence (DoD) information, and the 
transactions of financial institutions are but a few of the 
areas which require protection for multiple levels of 
sensitive information. Multiple processor systems which 
share data are well suited to providing such services - if 
the data security problem can be solved. 

A solution to these problems - a multiprocessor system 
design with verifiable information security - is offered in 
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a family of secure, distributed multi-microprocessor 
operating systems designed by O'Connell and Richardson [1] • 
A subset of this family, the Secure Archival Storage System 
(SASS) [2,3], has been selected as a testbed for the general 
design. SASS will provide consolidated file storage for a 
network of possibly dissimilar "host" computers. The system 
will provide controlled, shared access to multiple levels of 
sensitive information (figure IK 

This thesis presents an implementation of a basic 
monitor for the 0 'Connell-Richardson family of operating 
systems. The monitor provides mul tiprogramming and process 
management functions specifically addressed to the control 
of physical processor resources of SASS. Concurrent thesis 
work [4] is developing a detailed design for a security 
kernel process, the Memory Manager, which will manage SASS 
memory resources. 
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SASS SYSTEM 




Figure 1 
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A. BACKGROUND 



The general family design is composed of a supervisor 
and a security kernel. The supervisor provides dynamic 
linking, a discretionary security policy, demand memory 
management, and a hierarchical file system in support of the 
user. The security kernel manages physical resources to 
provide scheduling, interprocess communication and 
synchronization, and a non-di sere t iona ry security policy. 
The design is loop-free to permit the implementation of 
system subsets ranging from a simple monitor to a general 
purpose computer utility. 

SASS is a subset of this system and does not require use 

of several higher levels of the general system design. 

Dynamic linking, demand segmentation, transient processes, 

and a user domain are not necessary for its intended 

operation, and are excluded. The software of SASS is 

partitioned into two domains. The security kernel, which is 

the most privileged domain, manages system physical 

resources in a manner designed to prevent unauthorized 

information flow, regardless of action taken by other 

elements in the system. The less privileged domain, the 
✓ 

supervisor [2], provides each host with a hierarchical file 
system in which it may store and retrieve files and share 
them with other hosts. The hosts send commands and transfer 
files via bidirectional digital links. SASS was designed for 
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implementation of currently available microprocessor 
hardware. Multiprogramming is used to improve system 
efficiency and to create a virtual environment which frees 
the remainder of the operating system from a dependence on 
the physical processor configuration. Processor management 
provides a means of coordinating the interaction of the 
asynchronous processes which comprise the system. This 
implementation employs a processor multiplexing technique 
for a distributed kernel and presents a virtual interrupt 
mechanism. The modular, hierarchical structure of the 
software is loop-free to support system expansion to higher 
level functions. 

Although the primary poal of the design is security, the 
clean, logical, process-oriented structure of SASS offers 
other benefits as well, includinf? fault tolerance, resource 
configuration independence, and efficiency. 

B. COMPUTER SECURITY 

The need for providing protection for information within 
a computer system is well documented. Development of the 
security kernel technology [5,6], has transformed the 
operatin? system designer's approach from a game of wits 
with penetrators into a methodical design process. 

In general, security is provided by providing protection 
for information in accordance with a specific protection 
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policy. In 


the 


case of 


computer 


securi ty 


this 


is 


accomplished 


by 


controlling the 


access 


of 


people 


to 


information. 


Although this 


protection 


can 


be 


provided 


by 



external controls (e.g., confining the computer system and 
all its users within a physical security perimeter), this 
method is inefficient and prone to human error. Furthermore, 
a distributed computer network will probably be dispersed 
over too wide an area to be physically confined. Supported 
by the security kernel approach, an internal protection 
mechanism controlled by the computer operating system is a 
feasible solution. 

1 . Reference Monitor 

The concept of protection is realized within the 
computer system by the implementation of a mathematical 
model of information security. This model is based on an 
abstract representation of security called the Reference 
Monitor [7]. The Reference Monitor describes a mechanism for 
controlling the access of subjects to objects, based on a 
set of access authorizations (figure 2). 



Reference Monitor 




Figure 2 
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Every time a subject attempts to access an object, 
the Reference Monitor checks to determine if the subject has 
authorization to perform the desired operation (e.^., write, 
read) on the object. If the policy does not authorize the 
access, the Reference Monitor will prevent the subject from 
performing the requested operation. This mechanism is 
realized within the operating system as the security kernel. 
Several system features are required in order for the 
mechanism to function correctly. 

First, every reference to information (i.e., every 
access to primary memory by the processor) must go through 
the Security kernel. 

Second, the implementation of the security kernel must 
be an exact representation of the mathematical model of 
information security. 

Third, the security kernel must be tamper-proof. 

2. Security Policy 

The security policy to be enforced by the computer 
system consists of external laws, rules, regulations, etc., 
which establish permissable information access independent 
of the computer system. Therefore, a computer system will be 
secure only with respect to a specific security policy. The 
security kernel concept supports a broad range of security 
policies that can be divided into two classes, 
non-discretionary and discretionary security. 
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a. Non-discretionary Policy 

Non-di scretionary security policy uses labels to 
insure only permissable access of subjects to objects is 
provided. Object labels reflect object sensitivity and 
subject labels reflect subject authorization. (For example, 
National Security Policy labels include Unclassified, 
Secret, etc.). A non-discretionary security policy provides 
compromise protection (from unauthorized reading), integrity 
protection (from unauthorized modification), and must 
prevent information leaks resulting from indirect access to 
unauthorized information as well. A non-discretionary 
security policy requires that all subjects and objects have 
labels. Most contemporary computer systems do not provide 
this explicit labeling and therefore implicitly make all 
access permissable. 

b. Discretionary Policy 

Discretionary security policy provides a finer 
division of access by allowing individual subjects to decide 
which of the permissable accesses, determined by 
non-discretionary policy, will actually be allowed (e.g., 
DoD's "need to know”). Many contemporary computer systems 
support discretionary security policy with access control 
lists, file passwords, capability lists and other 
mechanisms . 



13 



3 . Security Kernel Design 



By careful interpretation of the mathematical model 
of the Reference Monitor, the security kernel is desiismed to 
he a subset of operating system functions. Kernel primitives 
form an interface between this subset and the remainder of 
the system. If these primitives are implemented correctly, 
their use .guarantees that information will be protected in 
compliance with system security policy, regardless of any 
action taken by other portions of the operating system or by 
the user. A more detailed discussion of the security model 
is provided in [4,5,6]. 

C. SCOPK OF THESIS 

In this chapter a subset of the general operating 
system design, the Secure Archival Storage System (SASS), 
was described. The concept of information security was 
examined and the security kernel was presented as a 



technically sound 


approach 


t 0 


the 


pro bl em 


of 


providing 


internal computer 


securi ty . 












Chapter Two 


will discuss 


the 


design 


goals 


of this 


operating system. 


Functi ona 1 


design 


requirements 


will be 



developed and the issues of physical resource management and 
performance will be traced to specific attributes desired in 
system hardware. The rationale behind the ultimate selection 
of Zilog's Z80OO Microprocessor and memory management 
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unit for use in the SASS testhed implementation of 
this operating system will he discussed. 

Chapter Three will descrile the high level design of 
SASS with an emphasis on the security kernel design. A view 
of the user (computer host) environment as a collection of 
cooperating processes will he presented, and the 
hierarchical structure of the distributed kernel modules 
will he examined in detail. 

Chapter Four will present an implementation of the SASS 
security kernel modules that provide multiprogramming and 
processor management. The construction of the virtual 
machine environment will he described and the advantages of 
a two-level scheduling mechanism will he explained. 

Finally an evaluation of this implementation will he 
presented with recommendations for improving the design and 
suggestions for follow on work. 
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II . OPERATING SYSTEf^S DESIGN CONCEPTS 



The kernel prirritives providing mul t ip rof?rammi n£r and 
process management form one of the smallest and most basic 
subsets in the family of operating systems designed by 
O'Connell and Richardson [4]. As developed here they were 
implemented specifically to support SASS. In general the 
same kernel primitives will support all members of this 
design family. 

Before discussing the high level design of the SASS 
security kernel and presenting an implementation of these 
primitives, it is useful to investigate the general design 
methodology applied to the development of this operating 
system. In this chapter the design goals of SASS will be 
analyzed and traced to functional requirements and hardware 
attributes considered necessary or desirable in support of 
the system's design goals. It is recognized that the 
operating system user Will probably not address these issues 
directly when specifying system design goals. The material 
presented here concerns the approach of the system designer 
to the definition of requirements implicitly related to user 
design goals . 
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A. DESIGN PFILOSOPHY 



Two issues confront the operating system designer. 
First, he must provide system functions which support the 
services requested hy the user. These functional 
requirements affect the logical design of the system. 
Second, he must address issues of cost and performance. Cost 
and other management considerations will not he addressed 
here. Performance issues concern the management of physical 
resources and ultimately can he reduced to hardware 

requi remen ts . 

There is a considerable amount of literature devoted to 
the development of the functional design of operating 
systems. Dijkstra [6] has described a technique for reducing 
the complexity of the design by allocatinf' operating system 
activities to a number of cooperating processes. Process 
structure is simplified in turn by defining its functions in 
levels of increasing abstraction and by applying the 
principles of structured programminfr. 

f^adnick and Donovan [9] have described an operating 
system as a hierarchical extended machine. Program modules 
are added to the system hardware to provide many extended 
instructions in addition to the hardware instructions 

available on the tare machine. In complex systems one 
extended machine may be constructed upon another to form a 
system composed of levels of abstract (virtual) machines. 
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Saltzer [10] and Reed [ll, 12] have discussed the 
advantages of resource virtualization and have described 
some useful interprocess communication mechanisms. The 
general desi,gn strategies presented in this and other 
research aid the operating system designer in developing 
system functions in a clean, logical, verifiable design. 

The selection of an appropriate computer architecture, 
which supports both functional requirements and the 

efficient management of physical resources, often proves to 
be a more difficult issue. Frequently operating systems 
design is shaped by the capabilities of system hardware. 
This may be a result of performance limitations or cost of 
available hardware, but often this course is taken because 
traditionally, system design begins with hardware. Since a 
primary goal in operating systms design is to create a 
specific operational environment for the user, it would 
appear to be preferable to design from the desired 
environment "down to” the hardware. In this way all 
components of the system, software and hardware alike, are 
evaluated in the light of the ultimate goals of the system, 
and any incompa tabil i ti es between required functions and 
hardware capabilities will be discovered early in the 
design. Then, if modifications are required, design changes 
can be made at a high level which will preserve design 
integrity. LSI technology currently provides a wide variety 
of relatively inexpensive microprocessor hardware from which 
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to select specific physical components. Jurthermo re , it is 
often feasible to design special purpose hardware to 
specification. So the traditional restrictions on hardware 
versatility in systems design need not apply in many cases 
to microprocessor systems. 

In summary, the top-down design philosophy can te 
applied to operating systems design in the following manner: 

1. Identify general and specific design goals. 

2. Derive functional design requirements. 

3. Identify performance requirements. 

4. Select system hardware. 

5. Develope kernel software. 

6. Develope the remainder of the 0/S software. 

B. GENERAL DESIGN GOALS 

Although many design goals depend upon specific system 
application, there appear to be some attributes desirable in 
all operating systems. 

1 . logical Structure 

Computer system design is an engineering problem and 
the tools of the engineering design process should be 
applied to the development of software as well as hardware 
[13]. Clarity should be a major goal of any design for if 
the operating system cannot be understood easily it will be 
difficult to test, difficult to maintain, and its 
correctness will always be in doubt. A sound enginering 
design philosophy is not guaranteed to generate error free 
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systems, tut if system functions are cleanly organized and 
well understood, then it is likely that there will le few 
errors and these can he corrected without difficulty when 
discovered . 

2. Fault Tolerence 

If an operating system is to he reliable, the 
software it uses must he protected from damage whenever 
possible. In particular, tasks performed hy the system 
should he isolated from another so that a malfunction (e.g., 
as the result of hardware failure) in one task has no effect 
on others. 

3. Efficiency 

The efficient use of physical resources (processors, 
memory, periphals, etc.) continues to he a primary design 
goal. However, since hardware is no longer the scarce, 
expensive commodity it once was, a concern for overall 
system efficiency (i.e., higher thorugh-put, faster response 
time) may he more important. With appropriate component 
selection many software functions can he replaced hy 
hardware functions that can provide an improvement in system 
performance at a small additional hardware expense. 

C. SPECIFIC DESIGN GOALS 

The family of operating systems designed hy O'Connell 
and Richardson provides all of the services expected of a 
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state of the art, general purpose operating system, yany of 
these general services are not necessary in the SASS subset 
of the family. The number of processes required by SASS is 
determined by the number of host computers linked to SASS 
hardware. A design choice was made to fix this number at 
system generation time. Therefore dynamic process management 
is not required) SASS processes exist for the life of the 
system. A primary function of SASS is the transfer of files 
between host computers and SASS via bidirectional digital 
links. As a result, the system will have a low transaction 
rate, and the relatively fast response time desired in a 
time-sharing system is not required here. Sass dees not 
provide programming services to users? the system strictly 
manages an archival storage system. This eliminates the 
requirement for a user domain and because the demands on 
primary memory are not excessive, there is no need for 
dynamic memory management. 

Other services of the general system provide 
essential support to SASS. These services include I/O 
management, file management, and the physical resource 
management and information protection functions providpd by 
the security kernel. 

The SASS requirement to provide multiple host computers 
(users) with controlled, shared access to a multilevel 
secure "data warehouse" leads to several design goals. These 
include: internal security to proctect information in a 
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distributed computer network? configuration independence for 
system versatility? and a subsetting capability to support 
future system expansion to more complex members of the 
design family. 

1 . Internal S<^curity 

A unique feature of SASS is the specification of 
multilevel security as a primary design goal. Multilevel 
security provides controlled sharing of information of 
varying sensitivity amon^ many users in accordance with an 
access policy implemented internally by the operating 
system. It is essential that a system supporting a remotely 
accessed data base containing information of different 
access classes be provided with an internally enforced 
security policy. 

2 . Configuration Independence 

The resource configuration of a multicomputer system 
is highly changeable. Processors are added and removed? 
memory is reconfigured? interconnection schemes are altered 
and peripherial equipment is changed. The operating system 
of such a design should be sufficiently flexible to permit 
maintenance and to allow for growth and reconfiguration 
without requiring drastic system redesign or noticeably 
affecting the user's environment. 

3 . Sub-setting Capability 

Operating system "sub-setting” refers to the ability 
to form meaningful subsets of the design by eliminating many 
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of the services that can he provided hy the system without 
affecting the usefulness of the remainder of the system. 
Suh-setting permits the system to he tailored to fit a 
number of specific designs ranging from a simple monitor to 
a full service time-shared computer utility. The 
implementation presented in this thesis creates a monitor 
that provides multiprogramming and processor management. 
This subset supports more complex family members of the 
design such as SASS. 

D. DESIGN HEOUI REGENTS 

In a top-down approach to design, goals are clarified 
and defined by requirements which describe either the system 
functions or address cost and performance issues (hardware 
requirements). The functional requirements defined below 
support the specific design goals of SASS and provide 
features desirable in any operating system, such as a 
logical structure, fault tolerance, and efficiency of 
operation . 

1 . Functional Requirements 

Functional requirements define services which must 
be provided to support the user's environment, 
a. Process Organization 

By designing an operating system as a collection 
of cooperating processes, system complexity can be greatly 
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reduced f£] . This is because the asynchronous nature of the 
system can be structured logically by representing each 
independent, sequential task as a process and by providing 
interprocess communication mechanisms to prevent races and 
deadlocks during process interactions. 

The notion of a process provides a complete 
description of all instructions executed and all memory 
locations referenced during the performance of a task. A 
process is defined by an address space and ar execution 
point. The address space is the set of memory locations 
which could be accessed during process execution. •'The 
process is viewed as a past, present and future "history" of 
memory locations which actually were referenced.) The 
execution point is the state of the processor at a given 
instant during pro cess execution. In the abstract view, an 
address space is defined by a collection to discrete points, 
each representing a memory word. The process is described by 
the path traced through this address space from process 
creation to destruction. In figure 3 the main path traces 
the process execution point as it moves from one instruction 
(i.e., memory word) to another during process execution. The 
branches from this execution point path represent data 
references . 
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Process History 



Process 
creati on 




Several advanta;tes result from usin^ a process 
oriented design. As a tool for dealing with the asynchronous 
nature of system operation, processes provide a simple, 
logical, high-level structure for the design. For example, 
the Secure Archival StoraP'e System supports each host with 
three processes: a I/O Manager, a File Manager, and a Memory 
Manasrer, which interact to provide secure file mana^eement 
services to the host. This interaction will be described 
further in the next chapter. Since each process is confined 
to a secific address space, tasks are isolated from one 
another and system fault tolerance is improved. 3y providing 
an internal represantation for each user, a process nicely 
fits the definition of a "subject” in the Reference Monitor 
and therefore supports the design goal of providing internal 
securi ty . 



t. . “^erory Segmentation 

The address space of a process is composed of a 
collection of segments. A segment is a logical collection of 
information (e.g., procedure, data structure, file, etc.) 
and is the basic logical object of this design. Figure 4 
illustrates the two-dimenti onal nature of the segment 
address. Each segment consists of an arbitrary region of 
memory containing a sequence of words with conventional 
linear addresses. Two-diment ional addressing frees 
information from dependence on a particular memory location 
by making it arbitrarily relocatable. 

Segmented Addressing 
«SEG #n>> OFFSET 

Descriptor segment Segment 
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Figure 4 



The descriptor segment provides a list of 
descriptors for all segments in a process address spece. In 
addition, segmentation supports information sharing since a 
segment may belong to more than one address space. 
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Segmention also provides a means of associating logical 
attributes and labels with each segment, such as access 
class, domain, etc. This feature supports segments as 
internal representations of the Reference Monitor's 

t# tt 

object . 

c. Abstraction 

Abstraction provides a method for reducing 
problem complexity by applying a general solution to a 
collection of specific cases [14]. Structured pro^^ramni n;? 
provides a tool for creating abstraction in software design. 
By strictly applying two special rules in addition to the 
general principles of structured programming, a structure 
consisting of levels of increasing abstraction can be 

constructured . 

First, calls cannot be outward toward higher 

levels of abstraction. This frees lower levels from a 

dependence on higher levels by creating a loop-free 

structure [15] and results in a design which is capable of 
having subsets. 

Second, calls to lower levels must be by special 
entry points or gates. Each level of abstraction creates an 
virtual hierarchical machine [9]. The gate to each level 
provides a set of instructions created for that virtual 
machine. Thus higher levels may use the resources of lower 
levels only by applying the instruction set of a lower level 
machine. (At domain boundaries, use of gates is strictly 
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enforced "by a ring-crossing r^echanism ; otherwise gate use is 
implicit in the structure of the software.) Once a level of 
abstraction has been created, the details cf its 
implementation are no lon^^er an issue. Instead users see 
layers of virtual machines , each defined by its extended 
instruction set. 

Each process used in SASS is designed in levels 
of abstraction. When the rules of abstraction are applied to 
level the physical resources of the system, these 
resources are "virtualized". Thus the first level of 
abstraction creates "virtual processors", "virtual memory", 
and "virtual devices" from the system's hardware. At each 
higher level the detail of the design is reduced. The gate 
at the boundary between the highest level of the security 
kernel and the lowest level of the supervisor provides a 
mechanism for isolating the kernel as well as insuring that 
each memory access is via kernel software. This mechanism is 
implemented in SASS by a ring-crossing mechanism called the 
Gatekeeper . 

d. Resource ?irtual izat ion 

The first levels of abstraction above system 
hardware create virtual representations of physical 
resources (virtual processors, virtual memory, virtual 
periphals). Since upper levels of the design operate on 
these virtual resources, rather than on physical resources, 
most of the design (i.e., everything above resource 
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virtualization levels) is independent of the physical 
conf iisurat ion of the system. Ey providing virtual to real 
resource binding in the kernel, and by enforcing entry into 
kernel levels with the Gatekeeper, SASS protects physical 
resources from tampering and insures memory access only via 
the kernel. As a result, the kernel m.odules of each process 
will guarantee that the system's non-di scret i onary security 
policy is enforced. Includinsr in the kernel only those 
functions essential to system security keeps it small and 
reduces the job of verification to manageable proportions. 

2 . Hardware Requirements 

Virtual resources are created by the multiplexing of 
various types of information on a physical resource. 
Multiplexing can be defined as the use of a single resource 
for different purposes at different times. Tor example the 
physical bus lines can be used both for addresses and data 
during different times during the machine cycle. Similarly, 
logical users of a hardware system can share resources. The 
ability to multiplex processors and memory efficiently 
provides a mechanism for the virtualization of these 
physical resources. 

a. Processor Virtualization. 

A virtual processor is a data structure that 
contains a complete description of a process in execution on 
a physical processor at a given instant. This description is 
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contained in the process execution point. The address space 
of the process must he accessahle to the virtual processor 
when it is loaded on (hound to) a CPU. To provide a useful 
virtualization capability, the CPU must have the ability to 
efficiently multiplex process exection points and address 
spaces (i.e., it must support mul t ipro^ramming* ) . 

b. I'^emory Virtualization. 

In many memory handling schemes Process cannot 
run unless the entire address space is loaded in primary 
memory. This may require a large main memory or it may 
restrict the size of the address space. An alternative plan 
requires an 'operating system which manages primary and 
secondary memory to create the illusion of a memory which is 
larger than the system's primary memory. Since the larger 
memory is only an illusion, it is often called virtual 
storage. The logical, relocatable, information objects 
created by memory segmentaion, provide an essential memory 
multiplexing mechanism for the efficient implementation of 
virtual storage. 

c. Protection Domains 

An essential requirement of internal security is 
that the security kernel be isolated from other elements of 
the system. This can be accomplished by the construction of 
protection domains. Protection domains are used to arrange 
process address spaces into rings of different privilege. 
This arrangement is a hierarchical structure in which the 
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most pri vi ledred domain is the innermost ring. The structure 



essentially divides the address space into levels of 
abstraction with strictly enforced gates at the ring 
boundaries (Figure 5). 



SASS Protection Rings 




Protection rings may be created in software, but 
a hardware implementation, where gate use is enforced by 
hardware, is much more efficient [16]. 

The protection provided by the ring structure is 
not a security policy. (Security protection is implemented 
by a lattice structure known to the Non-di sere ti onary 
Security module in the kernel.) It does, however, enforce 
the hierarchy of the virtual machine by creating a 
privileged kernel ring within the supervisor ring. 



E. HARDWARE SELECTION 

The manifestation of an operating system design is, of 
course, software in execution on system equipment. If system 
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equipment must be selected early in the design, care m.ust be 
taken to insure that overall system design goals are 
compatible with actual hardware capabilities. If design 
goals must be met (e.g., the enforcement of internal 
security in SASS), then actual hardware selection should be 
made late in the design process. Then, even if a poor 
hardware choice is made, the penalty for correcting it will 
be small, since only the lowest level of the design (where 
resources are virtualized) need be changed. In any case the 
design of the operating system and the design or selection 
of system hardware must proceed in concert. 

1. Zilog ZSg01 

The ZPC01 is a general purpose 15-lit microprocessor 
[IT] with an architecture which supports memory segmentation 
and two-domain operations. It was selected as the target 
machine for implementation of the system because of the full 
range of support and close match it provided to design 
requirements. These supporting features are described below. 

a. l^.emory Segmentation 

The C?U can directly access 6M bytes of address 
space using a memory segmentation capability provided 
externally by a Memory Management Unit (Z8010 MMU). The 
23-bit address required to address 8M bytes is a logical two 
dimensional address consisting of a 7-bit segment number and 
a 16-bit offset. The memory management unit converts this 
into a 24-bit address for the physical memory. The address 
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space can be divided into as many as 12S relocatable 
segments containing? up to 64K bytes each. Each rremory 
segment can be assigned several attributes which provide 
memory access protection (read only , system mode only 
(i.e., ring #), execute only, etc.) and memory management 
data (changed, referenced), itfith these capabilities the 
Z8001 CPU can support all requirements for segmentation, 
memory virtualization and protection domains, 
t. Mul t iprogramming 

Processor multiplexing is supported by the CPU's 
multiprogramming capabilities. MIIITI-MICRO instructions aid 
in establishing a synchronization mechanism (by mutual 
exclusion) between multiple processors. Seperate stack, data 
and code address spaces are maintained for each ring of 
operation. The load multiple instruction allows the contents 
of registers to be saved and loaded efficiently. These 
features permit efficient storing and loading of process 
execution points. 

Address space multiplexing is also supported but 
is somewhat inefficient. In some systems, such as Multics 
[IS], a descriptor base register (PER) is provided to point 
to a process descriptor segment in memory, so changing the 
address space of the physical processor is accomplished 
merely by changing the PER. Since the ZS2Z1 CPU implements 
the descriptor segment as a collection of descriptor 
registers in the MMU, all of the descriptors for the address 
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space must te saved and loaded to change processes. This can 
make processor multiplexing (multiprogramming) quite 
inefficient. In the worst case, when the entire is saved 
and loaded, a process switch will take about 2 ms. It may be 
possible to improve on this performance by increasing the 
number of MMU's in the system. Then the address space can be 

V. 

changed simply by switching control to another MMU. 
c. Two-Domain Operations 

The ZS001 CPU can operate in either system mode 
or normal mode. In the system mode all operations are 
allowed, but in the user mode, certain system instructions 
are prohibited. , The system call instruction allows 
controlled entry to the system mode. This two-domain 
instruction capability supports the two domain sturcture of 
SASS by providing a single controlled entry into the kernel 
(SYSTEM CALL instruction). The descriptors contained in the 
MMU registers provide the capability to partition process 
address spaces into supervisor and kernel domains. 

2 . Selection Rationale 

The characteristics listed above - processor 
multiplexing support, a memory segmentation capability, 

multiple domain insturctions , and multiple domain memory 

/ 

partitioning - are features which are essential to an 
efficient implementation of SASS. The Z£££l has other 
desirable features: vectored and non-vectored interrupts, 

large, powerful instruction set, many data types, etc. These 
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attributes make the Zilog system a suitable choice as a bare 
machine for the Secure Archival Storage System. 

This chapter has provided a description of the 
methodology employed in the design and specification of 
SASS. In particular it was noted that a top-down design 
philosophy most effectively supported implementation of 
system design goals. Requirements supporting the primary 
design goal of internal security and other general and 
specific goals were defined and traced to desired hardware 
capabilities. Finally, capabilities of Zilog's ZS££1 
microprocessor which support the SASS design were described. 

Chapter Three will provide an overview of the SASS 
design. The design will be described from a process 
viewpoint and the hierarchical structure of the distributed 
kernel will be examined. 
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III. SECURITY KERNEL D2SIG?^I 



The hi^h level design of the Secure Archival Storage 
System can he described by a collection of cooperating 
processes. The use of processes to perform operating system 
functions greatly simplifies the problem of describing the 
asynchronous manner in which services are requested. 

A. PROCESS VIEW 

There are two kinds of processes within SASS» supervisor 
processes and kernel processes. Supervisor processes provide 
high level services to host computers [2]. Certain functions 
of the operating system are distributed throughout all of 
these processes? that is. supervisor processes logically 
share a collection of distributed kernel modules. Kernel 
processes provide specialized services within the operating 
system. The system user is not aware of the existence of 
these processes, but they are called upon, within the kernel 
domain, by supervisor processes to perform necessary 
operating system functions in support of user services. 
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1 . Supervisor Processes 

One pair of supervisor processes, an I /C Kanag'er and 
a Yile Manager, represents each computer host supported hy 
SASS . 

The File Manager controls SASS and directs all 
interaction between SASS and computer hosts in order to 
maintain a structure of hierarchical files on behalf of each 
host It interprets commands received from hosts via the I/O 
Manager and coordinates tne execution of requested services 
with assistance from the I/O Manager and the Memory Manager 
(described below). 

The I/O Manager transfers information via a link 
between each host and SASS. Lata is transfered by fixed-size 
packets in command, data, and synchronization formats. The 
I/O Manager provides only a transfer service and does not 
interpret the data . 

2. Kernel ?roce<;se^ 

The two kernel processes used by SASS are the Memory 
Manager and the Idle process. The Memory Manager controls 
primary and secondary memory. The design of this process is 
the topic of concurrent thesis research [3] . The Memory 
Manager transfers segments between primary and secondary 
memory in response to requests from supervisor processes. 

The Idle process defines the 'no work state of the 
system. SASS attempts to schedule useful work on system 
processors whenever possible. Only when there is no work to 
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l;e done, (i.e., no commands pending from hosts) will this 
process te called upon to execute. 

3 . Plost Environment 

Host computers view SASS as a remote data warehouse 
where they may store and retrieve files (figure 6). Each 
host is provided with a virtual file hierarchy constructed 
from directory and data files. A pair of SASS supervisor 
processes (an I/O Manager and a File Manager) provide each 
host with a set of commands hy which it may store and 
retrieve files in its virtual file system and share files 
with other hosts. The distributed kernel functions of each 
process control the physical resources of the system in 
support host commands and SASS security policy. 



SASS Process Configuration 




hardware 






data warehouse 



FIGURE 6 
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E. VIRTUAL r^ACHINE VIEW 

The (distributed modules of the security kernel create a 
virtual hierarchical machine which controls process 
interactions and manages physical processor resources. The 
kernel is not aware of the details of process tasks. It 
knows each process only by a name (viz., an entry number in 
a table) and provides processes with scheduling and 
interprocess communication services based on this process 
identifier. All supervisor processes share the modules of 
this virtual hierarchical machine (Figure 7). 

The kernel is constructed in layers of abstraction. Each 
layer, or level, builds upon the resources created at lower 
levels. The rules of abstraction described in Chapter 2 were 
applied to the design of this structure. Level £ is the bare 
machine which provides the physical resources (processors 
and storage) upon which the virtual machine is constructed. 
The remainder of this chapter will describe the level of 
virtualization (or layer of abstraction) created by each 
distributed kernel module. 

1 . Inner Traffic Controller Module 

Level-1 of this virtual machine is the Inner Traffic 
Controller Module. This module creates a set cf virtual 
processors with the extended instruction set: SIGNAL, WAIT, 
SWAP_VDBR, IDLE, SST_VPREEM?T , TEST_VPREEMPT , and 
RUNNING VP. 
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DISTRIBUTED KERNEL 




Figure 7 
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SIGNAL and WAIT provide an interprocessor 
communication mechanism used within the kernel to provide 
multiprogramming. These instructions invoke the level-1 
scheduling procedure, GSTWORK, which multiplexes virtual 
processors on a physical processor. 

SWAF_VI)BR and IDLE are instructions invoke<5 from 
level-2 hy the Traffic Controller Module to schedule 
processes on a virtual processor. 

SET_VPREEMFT and TEST_VFEESMFT create a virtual 
processor interrupt mechanism. SST_VFRSEMFT is invoked ^rom 
level-2 when the traffic controller desires to load a new 
process on a virtual processor that is not scheduled. 
TEST_VFRESMFT is invoked hy the Gatekeeper of each 

distributed process upon every exit from the kernel domain. 
The Gatekeeper unmasks virtual interrupts hy testing- the 
interrupt flag of the scheduled virtual processor. If the 
flag is set, a virtual interrupt handler is invoked, 
otherwise the process enters the supervisor domain normally. 

RUNNING_VF is invoked from level-2 to provide the 
Traffic Controller with the identity of the currently 
scheduled virtual processor. The identity of a particular 
processor must he known in the virtual environment, just as 
the identity of a physical processor is required in a 
multiprocessor system. 
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2 . 



?T’affic Controller i^od u 1 e 



The Traffic Controller resides at level -2. It 
mana,^es the scheduling of processes on virtual processors hy 
invoking the extended instructions of the virtual processors 
in level-1. In addition to iirplemen ting the level-2 
scheduling al^?orithm, the Traffic Controller creates the 
extended instruction set: ADVANCE, AWAIT, and PHOCESS_CLASS . 

ADVANCE and AWAIT are used to irrplement eventcounts 
and sequencers [ll] , an inter-processor communication (IPC) 
mechanism invoked hy the supervisor. Although SIGNAL and 

WAIT provided an adequate interprocessor synchronization 

( 

mechanism within kernel. Parks [2] determined that 
supervisor process synchronization would he more effectively 
served in the secure environment of SASS hy the use of 
eventcounts . 

PROCESS _CLASS is invoked from level-3. It returns 
the label, subject access class, of the current process for 
determining a suhject-ohject relation. 

a. Scheduling 

Scheduling functions are divided between the 
Inner Traffic Controller and the Traffic Controller. The 
Inner Traffic Controller multiplexes virtual processors on a 
CPU. The Traffic Controller schedules processes on virtual 
processors . 

The division of the scheduling algorithm between 
these two levels simplifies its design, because it seperates 
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the issues of virtual processor management 
(multiprogramming) from virtual memory management [12] . A 
design choice was made to provide each system CPU with a 
small fixed set of virtual processors. Since the virtual 
processor data "base is shared by all system CPU's, it must 
remain permaently in global memory. 

The process data base, used to implement level-2 
scheduling will be much larger. Since supervisor processors 
are known to the entire system, this data must also be kept 
in global memory. Because level-2 is subject to memory 
management, this data could be kept on secondary storae’e and 
moved to primary memory when requested. 

SASS does not provide dynamic memory managemient, 
therefore the two-level scheduling design presented here is 
not essential to the design. However, the structure has beer, 
provided in this implementation to support more complex 
family members of the O'Connell-Richardson design. Figure £ 
illustrates the two levels of scheduling employed by the 
distributed kernel. 

The two virtual processors (Mem_Mgr_VP and 
Idle_7P in Figure 8) are permanently bound to kernel 
processes and are not in contention for process scheduling. 
The remaining VP's are temporarily bound to supervisor 
processes as determined by the Traffic Controller. If no 
supervisor process is available, the Traffic Controller 
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invokes the Inner Traffic Controller (IDL3) which leads an 
Idle process on the virtual processor. 

The Inner Traffic Controller schedules virtual 
processors on the physical processor. Ready virtual 
processors with temporarily bound idle processes (VF #1 and 
VP #2 in Figure 6) will be scheduled only to give an Idle 
process away for a supervisor process (i.e., when virtual 
preempt flag is set). The Idle process will actually run 
when the virtual processor to which it is permanently bound 
(the Idle-*VF in Figure S) is scheduled. This will happen 
only when all other VP's are waiting or temporarily bound to 
Idle processes, i.e., when there is no useful work for the 
CPU. 
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TWO-LEVEL SCHEDULING 




Figure 8 
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Non-Eiscretionary Security Module 



The Non-Eiscretionary Security module in level-3 
reflects the system's security policy. It compares tv.o 
labels, subject and object access classses, passed to it by 
other modules, and returns the relationship of the labels 
based on a lattice structure known to it. To perform this 
function it provides the extended instruction, R!^IATI0N, 
which is used by the Event Manager and the Segment Manager 
to determine access permission. These modules make decisions 
about access based on the relationships; equal, less than, 
greater than, and not related. The Non-di scretionary 
Security module is the only module which interprets the 
labels themselves. A different security policy (e.g., 
Privacy Act vs DOE) can be implemented simply by chan^in^ 
the lattice structure used in this module. 

4 . Event Manager Module 

The Event Manager is a level-3 module invoked by 
supervisor processes via the gatekeeper. This module creates 
a set of extended instructions: AEVANCE, A'v'AlT, REAI and 
TICKET. It determines the access permission of desired 
interprocess communications and obtains a global handle from 
a Memory Manager data base where event data is stored. If 
access is permitted, the event manager passes this handle, 
which identifies the event, to the Traffic Controller where 
the appropriate event count instruction is invoked. For 
sequencer operations the Memory Manager is invoked directly. 
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The use of the handle is necessary because of the design 
choice to store event data in a data base of the Merr;ory 
Manager [3]. This insures that inter-domain IFC does not 
violate SASS security policy, 

5 . Segment Manager Module 

The Segment Manager also resides in level-3. This 
module creates a set of extended instructions for 
manipulating segments. These instructions are: CREATE, 
DELETE, SWAP_IN, SWAP_0UT, MAKE_SNOWN, and TERMINATE. 
Modules of the supervisor domain invo''<e tnese instructions 
to coordinate host support. CREATE and DELETE add and remove 
segments from the system. SWA?_IN and SWAF_0UT cause a 
segment to be moved between primary and secondary memory 
(i.e., between a paged disk and contiguous memory). 
MAXE_KNOWN and TERMINATE add and remove a segment from a 
process address space. 

6 . C-atekeeoer Module 

The Gatekeeper exists on the boundary between the 
kernel and supervisor domains. It provides the sole entry 
point into the kernel domain, so when the execution point of 
a process enters the kernel domain of its address space it 
must do so through the Gatekeeper. 

The hardware of the MMU partitions process address 
spaces into two domains by setting the ring number fzero or 
one) in each segment's 



52 



attribute register. Software provided by the C-ateieeper 
performs the following* additional functions: 

Kernel 3ntry 

1. Unmask Hardware interrupts. 

2. Save supervisor domain registers. 

3. Save supervisor stack pointer in kernel stack 
segmen t . 

4. Check arguments and invoke appropriate kernel 
entry points. 

(Virtual machine instructions). 

Kernel Exit 

1. Invoke TEST_VPREE^iPT 

(i.e., umnask virtual interrupts). 

2. P.estore supervisor domain stack pointer. 

3. Restore supervisor domain registers. 

4. Unmask hardware interrupts. 

5. Return to process execution point in 

in supervisor domain. , 



C. REVIEW 

This chapter has described the high level design of the 
Secure Archval Storage System kernel from two points of 
view. In the process view the system is composed of pairs of 
supervisor processes (an I/O Manager and a File Manager) for 
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each host computer and a pair of kernel processes (a Memory 
^lanaper and an Idle process) for each real processor in the 
system. The supervisor processes provide hl^h level services 
to host computers while the kernel processes control system 
memory resources and provide an idle system state. 
Distributed kernel functions implement two levels of 
scheduling, provide interprocessor synchronizati cn and 
communication, manage segments, and isolate and protect the 
kernel domain of process address spaces. The distributed 
kernel is constructed as a hierarchical virtual machine. 
Evidence of the versitility of the loop-free, configuration 
independent structure of this design can be observed in 
concurrent thesis work in this area [19]. An Intel 8?36 
multiprocessor operating system implementation, based on the 
same design, uses essentially the same virtual insturction 
set described in this chapter. An implementation of the 
first two levels of this kernel machine is presented in the 
next chapter. 
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IV. IMPL5, MENTATION! 



Implementation of the distributed kernel was simplified 
by the hierarchical structure of the design for it permitted 
methodical bottom-up construction of a series of extended 
machines. This approach was particularly useful in this 
implementation since the bare machine, the Z600G 
Developmental I^odule, was provided with only a small amount 
of software support. 

A. DEVFI.OPyENTAL SUPPORT 

A. Zilog MCZ Developmental System provided support in 
developing Z800E machine code. It provided floppy disk file 
management, a text editor, a linker and a loader that 
created an image of each ZS000 load module. 

A ZS000 Developmental Module (DM) provided the necessarv 
hardware support for operation of a ZS002 ncn-segmented 
microprocessor and 16K words (32K bytes) of dynamic HAM, It 
included a clock, a USART, serial and parallel I/O support, 
and a 2K PROM monitor. 

The monitor provided access to processor registers and 
memory, single step and break point functions, basic I/O 
functions, and a download/upload capability with the MCZ 
system. 



55 



Since a segmented version of tne processor v/as not 

available for system development, se^'menta tion hardware was 
simulated in software as an MMU image (see figure 9). 

Although this data structure did not provide the hardware 

support (traps) required to protect segments of the kernel 

domain, it preserved the general structure of the design. 
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Figure 9 



B. inner traffic controller 

The Inner Traffic Controller runs on the bare machine to 
create a virtual environment for the remainder of the 
system. Only this module is dependent on the physical 
processor configuration of the system. All higher levels see 
only a set of running virtual processors. A kernel data 
base, the Virtual Processor Table is used by the Inner 
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Traffic Controller to create the virtual en vi ronrr.en t of this 
first level extended machine. A source listing of the Inner 
Traffic Controller nodule is contained in Appendix A. 

1 . Virtual Processor Table (VPT) 

The VFT is a data structure of arrays and records 
that maintains the data used hy the Inner Traffic Controller 
to multiplex virtual processors on a real processor and to 
create the extended instruction set that controls virtual 
processor operation (see Figure 10). There is one table for 
each physical processor in the system. Since this 
implementation was for a uniprocessor system (the 2c0C0 Dy), 
only one table was necessary. 
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The tdtle contains a LOCK which supports an 
exclusion mechanism for a multiprocessor system. It was 
provided in this implementation only to preserve the 
generality of the design. 

The Descriptor rase Register (DIR) hinds a process 
to a virtual processor. The DBR points to an 
containing the list of descriptors for segments in the 
process address space. 

A virtual processor (V?) can he in ore of three 
states: running, ready, and waiting (figure 11'. 



Virtual Processor States 




FIGURE 11 




A runniriff ?? is currently scheduled on a real processor. A 
ready VF is ready to he scheduled when selected hy the 
level-1 scheduling algorithm. A waiting V? is awaitinp a 
message from some other VF to place it in the ready list. In 
the meantime it is not in contention for the real processor. 

2. Level-1 Scheduling 

Virtual processor state changes are initiated by the 
inter-virtual-urccessor communication mechanisms, SIGNAL and 
WAIT. These level-1 instructions implement the scheduling 
policy hy determining what virtual processor to hind to the 
real processor. The actual binding and unbinding is 
performed by a Processor switching mechanism called SWA?_I)ER 
[10]. Processor switching implies that somehow the execution 
point and address space of a new process are acquired by the 
processor. Care must be taken to insure that the old process 
is saved and the new process loaded in an orderly manner. A 
solution to this problem, suggested by Saltzer [l£] , is to 
design the switching mechanism so that it is a common 
procedure having the same segment number in every address 
space . 

In this implementation a processor register (K14) 
was reserved within the switching mechanism for use as a 
DBF-. Processor switching was performed by saving the old 
execution point ( i.e., processor registers and flag control 
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word), loading the new DBR and then loading the new 
execution point. The processor switch occurs at the instant 
the D3R is changed (see figure 12). Because the switching 
procedure is distributed in the sane numbered segment in all 
address spaces, the "next" instruction at the instant of the 
switch will have the same offset no matter what address 
space the processor is in. This is the key to the proper 
operation of SWA?_BBR. 
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Figure 12 
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To convert this switching mechanism to segmented 
hardware it is necessary merely to replace SWi^?_CEF with 
special I/O block-move instructions that save the contents 
of the ^^'U in the appropriate and load the 

contents of the new 1/MU_IMAGS into the 
a. Getwork 

SWAP_rEH is contained within an internal Inner 
Traffic Controller procedure called GETWORK. In addition to 
multiplexing virtual processors on the CPU, GETV/ORI 

interprets the virtual processor status flags, IDLE and 
PREEMPT, and modifies VP scheduling accordingly in an 
attempt to keep the CPU busy doins* useful work. 

There ar» actually two classes of idle processes 
within the system. One class belongs to the Traffic 

Controller. Conceptually there is a ready level-2 idle 
process for each virtual processor available to the Traffic 
Controller for scheduling. When a running process blocks 
itself, the Traffic Controller schedules the first ready 

process. This will be an idle process if no supervisor 

processes are in the ready list. 

The second class of idle process exists in the 
kernel. The kernel Idle process is permanently bound to the 
lowest priority virtual processor. 
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The distinction is made between these classes 
because of the need to keep the CPU busy doing useful work 
whenever possible. There is no need for GFTWOP.K to schedule 
a level-2 idle process that has been loaded on a virtual 
processoTt because the idle process does no useful work. The 
virtual processor IDIE_?LAG indicates that a virtual 
processor has been loaded with a level-2 idle process. 
GETWORK will schedule this virtual processor only if the 
PREEMPT flas is also Set. The PREEMPT flas is a signal from 
the Traffic Controller that a supervisor process is now 
ready to run. 

When GETWORK can find no other ready virtual 
processors with IDLE and PRESf^PT flaes off, it will select 
the virtual processor permanently bound to the kernel Idle 
process. Only then will the Idle process actually run on the 
CPU. 

Getwork contains two entry points. The first, a 
normal entry, resets the preempt interrupt return flag. (RC 
is reserved for this purpose within GETWORK.) The second, a 
hardware interrupt entry point, contains an interrupt 
handler which sets the preempt interrupt return flag. The 
DBR (R14) must also be set to the current value by any 
procedure that calls GETWORK in order to permit the SWAP_DPR 
portion of GETWORK to have access to the scheduled process 's 
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address space. Upon completion of the processor switch, 
GETWOEK examines the interrupt return flag to determine 
whether a normal return or an interrupt return is required. 

The hardware interrupt entry point in GETWOHK 
supports the technique used to initialize the system. Each 
process address space contains ^ kernel domain stack segment 
used hy S'VA?-DBR in GETWORK to save and restore 7? states. 
For the same reason that S*AP-DER is contained in a system 
wide segment number, the stack segment in each process 
address space will also have the same number (Segment #1 in 
this implementation). Each stack segment is initially 
created as though it's process had been previously preempted 
by a hardware interrupt. This greatly- simplifies the 
initialization of processes at system generation time. The 
details of system initialization will be described later in 
this chapter. It is important to note here, however, that 
GETWOEK must be able to determine whether it was invoked by 
a hardware preempt interrupt or by a normal call, before it 
can execute a return to the calling procedure. This is 
because a hardware interrupt causes three items to be placed 
on the system stack: the return location of the caller, the 
flag control word, and the interrupt identifier, whereas a 
normal call places only the return location on the stack. 
Therefore, in order to clean up the stack, GETWCRR rf’ust 
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execute an interrupt return (assembly ins true ti on : I HE? ' if 
entry was via the hardware preempt handler (i.e., P.2 set). 
This instruction will pop the three items off the stack and 
return to the appropriate location. If the interrupt return 
flag, R2, is off, a normal return is executed. 

During normal operation, SWAP-DEE manipulates 
process stacks to save the old V? state and load the new V? 
state. This action proceeds as follows (figure 13): 

1. The Flag Control Word (FCW), the Stack Pointer (F.15) 
and the preempt return flag (R0) are saved in the cld 
VP's kernel stack. 

2. The DBR (R14) is loaded with the new VP's DER. This 
permits access to the address space of the new process. 

3. The Flag Control Word (FCW), the Stack Pointer (P15) 
and the Interrupt Return Flag (R0), are loaded into the 
appropriate CPU res’isters. 

4. R0 is tested. If it is set, GSTWORK will execut® an 
interrupt return. If it is off, a normal return occurs. 
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FIGURE 13 



By constructing GETVORK in this way, hoth system 
initialization and normal operations can be handled in the 
same way. A high level GETWORK algorithm is giver, in figure 
14. 

3 . Virtual Processor Instruction Set 

The heart of the SASS schedulin°- mechanism is the 
internal procedure, GSTVORK. It provides a powerful internal 
primitive for use by the virtual processors and f-reatly 
simplifies the design of the virtual processor instruction 
set. Virtual processor instructions perform three types of 
functions: multiprogramming, process management and virtual 
interrupts . 
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GETWORK Procedure (ERR = R14) 

Beffin 

Reset Interrupt Return Flag (Rf") 

Skip hardware preempt handler 

Hardware Preempt Entry: 

Set ERR 

Save CPU registers 

Save supervisor stack pointer 

Set Interrupt Return Flag (R0) 

Get first ready VP 

Do while not Select 
If Idle flag is set then 
if Preempt flag is set then 
select 
else 

get next ready Vp 
end if 
else 
Select 
end i f 
end do 

SWAP_EBR: 

Save old VP registers in stack sefrment 
Swap dhr (R14) 

Load new VP registers in stack segment 

If Interrupt Return Flag is set then 
unlock VPT 

simulate GATEKEEPER exit: 

Call TEST_VPREEr^PT 

Restore supervvisor registers 

Restore supervvisor stack pointer 

Execute Interrupt Return (IRET) 
end if 

Execute normal return 



end GETWORK 



Figure 14 
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SIGNAL and WAIT provide synchronization and 
communication between virtual processors. They multiplex 
virtual processors on a CPU to provide multiproieramming. 
This implementation used a version of the signal and wait 
algorithms proposed by Saltzer [12]. In the SASS design each 
CPU is provided with a unique (fixed) set of virtual 
processors. The interaction among virtual processors is a 
result of multiprogramming them on the real processor. Only 
one virtual processor is able to access the 7PT at a time 
because of the use of the LOCK (S?IN_LOCK) to provide 
mutual exclusion. Therefore race and deadlock conditions 
will not develop and the signal pending switch used by 
Saltzer is not necessary. 

This implementation also included message passing 
mechamism not provided by Saltzer. The message slots 
available for use by virtual processors are initially 
contained in a queue pointed to by FREE-LIST. When a message 
is sent from one VP to another, a message slot is removed 
from the free list and placed in a FIFO message queue 
belonging to the VP receiving the message. The head of each 
VP's message queue is pointed to by MSG-LIST. Each message 
slot contains a message, the ID of the sender, and a pointer 
to the next message in the list (either the free list or the 
VP message list . 
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IDLE and SWAP_VDBR provide the Traffic Controller 

with a means of scheduling processes on the running V?. 

SST_VPRSEMPT and TEST_VPRSS?^PT install a virtual 

interrupt mechanism in each virtual processor, ’''hen the 

Traffic Controller determines that a virtual processor 

should pive up its process because a higher priority process 

is now ready, it sets the PREEMPT flag in that VP. Then, 

even if an idle process is loaded on the VP, it will be 

scheduled and will be loaded with the first ready process. 

« 

Test_VPreempt is a virtual interrupt unmasking mechanism 
which forces a process to examine the preempt flag each time 
it exists from the kernel, 
a. Wait 

WAIT provides a means for a virtual processor to 
move itself from the running state to the waiting state when 
it has no more work to do. It is invoked only for system 
events that are always of short duration. It is supported by 
three internal Procedures. 

SPIN_L0CK enables the running VP to gain control 
of the Virtual Processor Table. This procedure is only 
necessary in a multiprocessor environment. The running VP 
will have to wait only a short amount of time to gain 
control of the VFT. SPIN_L0CK returns when the VP has locked 
the VPT. 
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GET'VORK loads the first eligible virtual 
processor of the ready list on the real processor. Sefore 
this procedure is invoked, the running 7F is placed in the 
ready state. Both ready and running VP's are members of a 
FIFO queue. GETVfORK selects the first VP in this ready list, 
loads it on the CPU, and places it in the running state. 
When GFTWORK returns, the first VP of the queue will always 
be running and the second will be the first VP in the ready 
queue . 

GST_FIRST_MES3AGE returns the first message of 
the message list (also managed as a FIFO queue) associated 
with the running VP. The action taken by Wa.IT is as follows: 
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WAIT Procedure (Returns: Msg, Sender_IE'l 
Begin 

Lock VPT (call SPIN_LOCE) 

If message list empty (i.e., no work) Then 
Move VP from Running to Waiting state 
Schedule first eligible P.eady V? (call GPTWCFK^ 

end if 

(NOTE: process suspended here until 
it receives a signal and is 
selected bu GETWORK.) 

Get first message from message list 
(call GET_FIRST_M3G) 

Unlock VPT 

Return 
end WAIT 

If the running virtual processor calls WAIT and 
there is a message in its message list (placed there uhen 
another VP signaled it) it will get the message and continue 
to run. If the message list is empty it will place itself in 
the wait state, schedule the first ready virtual processor, 
and move it to the running state. The virtual orocessor will 
remain in the waiting state until another running VP sends 
it a message (via SIGNAL). It will then move to the ready 
list. Finally it will he selected by GETWCRK, the next 
instructions of WAIT will be executed, it will receive the 
message for which it was waiting, and it will return to the 
caller . 
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b. Sii?nal 



Messages are passed between virtual processors 
by the instruction, SIGNAL, which uses i'‘our internal 
procedures, 3PIM_L0CK, ENTER_MSG_LIST , MAKE_?IALT, and 
GSTWOHK. 

SPIN_L0CK, as explained above insures that only 
one virtual processor has control of the Virtual Processor 
Table at a time. 

ENTEP_MSG_LIST manages a FIFO message queue for 
each virtual Processor and for free messages. This queue is 
of fixed maximum length because of the implementation 
decision tc restrict the use of SIGNAL. A running 7? can 
send no more than one message (SIGNAL) before it receives a 
reply (i.e., WAIT's for a message). Therefore if there are N 
virtual processors per real processors, the message queue 
length, L, is: 

L = N - 1 

MAKE_P.EADY manages the virtual processor ready 
queue. If a message is sent to a V? in the waitine- state, 
MAKE_READT wakes it up (it places it in the ready state) and 
enters it in the ready list. If a running VP signals a 
waiting VP of higher priority, it will place itself back in 
the ready state and the higher priority VP will be selected. 
The action taken by signal is as follows: 
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SIGNAL Procedure (Messaget Ees tina tion_VP^ 

Begir. 

Lock VFT (call SFIN'_L0CK) 

Send message (call ENTFR_MSG_LIST ) 

If signaled ?F is waiting Then 
Wake it up and make it ready 
(call MAKE_READY) 

end i f 

Put running VP in ready state. 

Schedule first elgitle ready VP 
(call GETWORK) 

Unlock VFT 

Return (Success_code ^ 

End SIGNAL 

c. SWAP_VLBR 

SWAP_vrBR contains the same processor switching 
mechanism used in SV/AP_DBR, hut applies it to a virtual 
processor rather than a real processor. Switching is quite 
simple in this virtual environment hecaus® both processor 
execution point and address space are defined hy the 
Descriptor Base Register. S¥AP_VD3R is Invoked hv the 
Traffic Controller to load a new process on a virtual 
processor in support of level-2 scheduling. It uses GETWORK 
to control the associated level-1 scheduling. The action 
taken hy SWA? VDPR is: 
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SVAF_VrBR Procedure (New_DER) 
resin 

Lock VFT (call SPIN_10CK) 

Load running VP with New_EPR 

Place running VP in ready state 

Schedule first eligible readv VP 
(call GETWORK) 

Unlock VPT 

Return 

End SWAP_VD2R 

In this implementation one restriction is placed 
upon the use of this instruction. If a virtual processor's 
message list contains at least one message, it can not give 
up its current DPR. This problem is avoided as the natural 



result of 
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system events 
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process loaded on the VP.) 
d. IDLE 

The IDLE instruction loads the Idle EP? on the 
running virtual processor. Only virtual processors in 
contention for process scheduling will be loaded by this 
instruction. (The Traffic 
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Controller is not even aware of virtual processors 
pern’a nent ly bound to kernel processes,^ 

IDLE has the same scheduling effect as 
Sv/AF_VDBH, but it also sets the IDLE_FIAG on the scheduled 
VF. The distinction is made between the Two cases because, 
althoue^h the Traffic Controller must schedule an Idle 
process on the VF if there are no other ready processes, the 
Inner Traffic Controller does not wish to schedule an Idle 
VF if there is an alternative. Tnis would be a waste of 
physical processor resources. The setting of the IDLS_riAG 
by the Traffic Controller aids the Inner Traffic Controller 
in making this scheduling decision. Logically, there is an 
idle process for each VF; actually the same address space 
(DER) is used for all idle processes for the same CPU, since 
only one will run at a time. As previously explained, 
virtual processors loaded by this instruction will be 
selected by GSTWORK only to give the Idle process away fcr a 
new process in response to a virtual preempt interrupt. The 
action of IDLE is: 
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IDLE Procedure 



Besi n 

Lock VPT (call S?IN_L0CE) 

Load runaing- VP with Idle DBR 

Set VP's irLE_BLAG 

Place runnin,e: VP in ready state 

Schedule first elgihle ready V? 

(call GETVORK) 

Unlock VPT 

Return 

End IDLE 

e. SET_VPREE^^PT 

SET_VPREE'^PT sets the preempt interrupt flag on 
a specified virtual processor. This forces the virtual 
processor into level-1 scheduling contention, even if it is 
loaded with an Idle process. The instruction retrieves an 
idle virtual processor in the same way a hardware preempt 
retrieves an idle CPU ty forcing? the V? to he selected ty 
GETWORK. The only difference between the two cases is the 
entry point used in GETWORK. The action of SET_V?REEk?T is: 
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SET_VPREEMrT Procedure (7P) 

Begin 

Set VP's PREEMPT flag 

If VP belongs to another CPU Then 
send hardware interrupt 

end if 

Return 

End SET_VPREEMPT 

Since the action is a safe sequence, no 
deadlocks or race conditions will arise and no lock is 
required on the VPT. 

f. TEST_VPREEM?T 

Within the kernel of a multiprocessor system all 
process interrupts (which excludes system I/O interrupts) 
are masked. If process interaction results in a virtual 
preempt being sent to the running virtual processor by 
another CPU, it will not be handled since GETWCRK has 
already been invoked. TEST_VPREEMPT provides a virtual 
preempt interrupt unmasking mechanism. 

TES T_VPEEEMPT mimics the action of a physical 
CPU when interrupts are unmasked. It forces the process 
execution point back down into the kernel each time the 
process attempts to leave the kernel domain, where the 
preempt flag of the running VP is examined. If the flag is 
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oi^ft TEST_VPR3EMPT returns and the execution point exits 
through the Gatekeeper into the supervisor domain of the 
process address space as described above. However, if the 
PREEMPT flag is on, the TEST_VPHEEMPT executes a virtual 
interrupt handler located in the Traffic Controller. This 
jump from the Inner Traffic Controller to the Traffic 
Controller (TC_PREEMPT_HA.\DLER) is a close parallel to the 
action of a CPU in response to a hardware interrupt, that is 
a jump to an interrupt handler. The Traffic Controller 
Preempt Handler forces level-2 and level-1 scheduling to 
proceed in the norm^al manner. The preempt handler forces the 
Traffic Controller to examine the APT and to apply the 
level-2 scheduling algorithm, TC_GET'VORK. If the APT has 
been changed since the last invocation of this scheduler, it 
will be reflected in the scheduling selections. Eventually, 
when the running VP's preempt flag is tested and found to be 
reset, TEST_V?REEM?T will return to the Gatekeeper where the 
process execution point will finally make a normal exit into 
its supervisor domain. TEST_VFREEMFT performs the following 
action: 
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TEST_VFRE2MFT Procedure 

Begin 

Do while running VP's PREEMPT flafr is set 
Reset preempt flag 
Call nreempt handler 

(call TC_PRSEMPT_HANDLSR) 

End do 

Re turn 

End TEST_VPREEMPT 
C. TRAFEIC CONTROLLER 

The Traffic Controller runs in a virtual environment 
created by the Inner Traffic Controller. It sees a set of 
running virtual processor instructions: SWAP_7DPR, IDLE, 

3ET_VPREEMPT , and RUNNINC-_VP, and provides a scheduler, 
TC_GETWORK, which multiplexes processes on virtual 
processors in response to process interaction. It also 
creates a level-2 instruction set: ADVANCE, A.VAIT, and 

PROCESS_CLASS , which is available for use by higher levels 
of the design. The Traffic Controller uses a global data 
base, the ACTIVE PROCESS TABLE to support its operation. 

1 . Active Process Table (APT) 

The Active Process Table is a system-wide kernel 
database containing entries for each supervvisor process in 
SASS (Figure 15). It is indexed by active process ID. 
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The structure of the APT closely parallels that of the 
Virtual Processor Table. It contains a LOCK to support the 
implementation of a mutual exclusion mechanism, a 
RUNNING_LIST, and a READT_LIST_EEAD . The Traffic Controller 
is only concerned with virtual processors that can be loaded 
with supervisor processes. Since two VP's are permanently 
bound to kernel processes (the Memory Manager and the Idle 
Process), they cannot be in contention for level-2 
scheduling; the Traffic Controller is unaware of their 
existence; since there are a number of available virtual 
processors, the RUNNING_LIST was implemented as an array 
indexed by Vp_ID. The READY_LIST_HEAD points to a FIFO queue 
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that includes both running and ready processes. The running 
processes will he at the top of the ready list. 

Because of their completely static nature, idle 
processes require no entries in the APT. Logically, there is 
an idle process at the end of the ready list for each VP 
available to the Traffic Controller. If the ready list is 
empty, TC_GETWORK loads one of these "virtual" idle 
processes by calling IDLE, and enters a reserved identifier, 
#IDLE, in the appropriate RUNNING_LIST entry. This 
identifier is the only data concerning idle processes that 
is contained in th.e APT. Idle process scheduling 
considerations are moved down to level-1, because the Inner 
Traffic Controller knows about physical processors, and can 
optimize CPL- use by scheduling idle processes only when 
there is nothing else to do. 

The subject access class, S_CLASS, provides each 
process with a label that is required by level-3 modules to 
enforce, the SASS non-discreti onary security policy. 

2 . Level-2 Scheduling 

Above the Traffic Controller, SASS appears as a 
collection of processes in one of the three states: running, 
ready, or blocked. Running and ready states are analogous to 
the corresponding virtual processor states of the Inner 
Traffic Controller. However, because of the use of 
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eventcount synchronization mechanisms ty the Traffic 
Controller, the blocked state has a slightly different 
connotation than the VP waiting state. 

Blocked processes are waiting for the occurrence of 
a non-system event, e.g., the event occurrence ray be 
signalled from the supervisor domain. When a specific event 
happens, all of the blocked processes that were awaiting 
that event are awakened and placed in the ready state. This 

broadcast feature of event occurrence is more powerful than 

the message passing mechanism of SIGNAL, which must be 
directed at a single recipient. 

Just as SIGNAL and WAIT provide virtual processor 
multipliiin^ in level-1, the eventcount functions, ACVANCE 
and AWAIT, control process scheduling in level-2, 
a. TC_GETWORK 

Level-2 scheduling is implemented in the 

internal Traffic Controller procedure, TC_CETWORK. This 
procedure is invoked by eventcount functions when a process 
state change may have occurred. It loads the first ready 
process on the currently scheduled V? (i.e., the virtual 
processor that has been scheduled at level-1 and is 

currently executing on the CPU). 
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TC GUT WORE Procedure 



Pe^in 

VP_ID := RUNNING_VP 

Do while not end of ready list 
if process is running then 
get next ready process 
else 

ETTNNING_LIST [VP_ID] := PROCESS_IP 
Process state := running 
SWAP_VDBR 
end i f 
e nd do 

If end of running list (no ready processes) Then 
RUiMNI?4G_LIST := #IDIE 
IDLE 
end if 

Return 

End TC GETyORK 



A source listing of TC_GS7yORS is contained in 

Appendix B. 

h. TC_PREEMPT_EAN’DLSR 

Preempt interrupts are mashed while a process is 
executing in the kernel domain. As the process leaves the 
kernel, the gatekeeper unmasks this virtual interrupt ly 
invoking TEST_VPREEMPT. This instruction tests the scheduled 
VP's PREEMPT flag. If this flag is off, the process returns 
to the Gatekeeper and exits from the kernel; hut if the flag 
is set, TEST_VPREEMPT calls the Traffic Controller's virtual 
preempt interrupt handler, TC_PREEMPT_KANDLE3 . This handler 
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invokes TC_GSTVORK, which re-evaluates level-2 scheduling. 
Eventually, when the schedulers have completed their 
functions, the handler will return control to the preempted 
process, which will return to te Gatekeeper for a normal 
exit. This sequence of events closely parallels the action 
of a hardware interrupt, hut in the environment of a virtual 
processor rather than a CPU. The virtualization of 
interrupts provides the ability for one virtual processor to 
interrupt execution of another that may, or may not, he 
running on a CPU at that time. This is provided without 
disrupting the l 0 f>‘ical structure of the system. This 
capability is particularly useful in a multiprocessor 
environment where the target virtual processor may he 
executing on another CPU. Because these interrupts will he 
virtualized, the operating system will retain control of the 
system. The action of the TC_P?.EEKPT_HAMDLEH is described in 
the procedure below. A source listing is contained in 
Appendix B. 
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TC_PHEEM?T_HANBLER Procedure 

Be^in 

Call VAIT_L0CK 

7P_ID := RUNNING_VP 

?rocess_IB := RUNNING LIST [V?_ID] 

If process is not idle Then 
Process state := ready- 
end i f 

Call TC_GETW0?K 
Call WAIT_UNLOCE 
RETURN 

End TC_PEEEMPT_HANDIER 

WAIT_LOCK and WAIT_UMLOCE provid® an exclusion 
mechanism which prevents simultaneous multiple use of ihe 
APT in a multiprocessor conf i^?urat ion . This mechanism 
invokes iflfAIT and SIGNAL of the Inner Traffic Controller. 

3 . Even tcoun ts 

An eventcount is ' a non-decreasine integer 
associated with a global object called an event [11] . The 
Event Manager, a level-3 module, controls access to event 
data when required and provides the Traffic Controller with 
a HANDLE, an INSTANCE, and a COUNT. The values for all 
eventcounts (and sequencers) are maintained at the Memory 
Manager level and are accessed by calls to the Memory 
Manager, The HANDLE provides the traffic controller with an 
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event ID, associated with a particular segment. INSTANCS is 
a more specific definition of the event. For example, each 
SASS supervisor segment has two eventcounts associated with 
it, a INSTAMC2_1 and a INSTANCE_2, that the supervisor uses 
keep track of read and write access to the sefi“ment [2]. 
Eventcounts provide information concerning system-wide 
events. They are manipulated hy the Traffic Controller 

functions ADVANCE and AWAIT and ty the Memory Manager 

functions, READ and TICKET. A proposed high level design for 
ADVANCE and AWAIT is provided in Appendix C. 
a. Advance 

ADVANCE signals the occurrence of an event 
(e.g., a read access to a particular supervisor segment). 
The value of the eventcount is the number of ADVANCE 

operations that have been performed on it. V.'hen an event is 
advanced, the fact must be broadcast to all blocked 

processes awaiting it and the process must be awakened and 
placed on the ready list. Some of the newly awakened 
processes may have a higher priority than some of the 
running processes. In this case a virtual preempt, 
SET_VPREEMPT (VP_ID), must be sent to the virtual processors 
loaded with these lower priority processes. 



b. Await 

When a process desired to block itself until 
a particular event occurs, it invokes AWAIT. This procedure 
returns to the calling process when a specified eventcount 
is reached. Its function is similar to WAIT. 

c . Read 

REAE returns the current value of the 
eventcount. This is an Event .Manager (level three) function. 
This module calls the Memory Manager module to obtain the 
eventcount value. 

d. Ticket 

TICKET provides £ complete time-ordering of 
possibly concurrent events. It uses a non-decreasing 
integer, called a sequencer, which is also associated with 
each supervisor segment. As with REAE, this is an Event 
Manager function that calls the Memory Manager to access the 
sequencer value. Each invocation of TICKET increments the 
value of the sequencer and returns it to the caller. Two 
different uses of ticket will return two different values, 
corresponding to the order in which the calls were made. 

D. SYSTEM INITIALIZATION 

Because the Inner Traffic Controller'? scheduler, 
GETWORK, can accommodate both normal calls and hardware 
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interrupt jumps, the problem of system initialization is not 
difficult. 

When SASS is first started at level-1, the Idle V? is 
running and the memory manager VP, which has the highest 
priority, is the first ready virtual processor in the ready 
list. All VP's available to the Traffic Controller for 
level-2 schedling are ready. Their IDLP_FLAG's and PP.EEMFT 
flags are set. 

At level-2, all VP's are loaded with idle processes and 
all supervisor processes are ready. 

The kernel stack segment of each process is initialized 
to appear as if it had been saved by a hardware Preempt 
interrupt (Figure 16). 
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preempt interrupt. The first three items on the stack: the 
process entry point, the initial process flag control word, 
and an interrupt indentifier, are also initialized to 
support the action of a hardware interrupt. 

To start-up the system, R14 (the DBR) is set to the Idle 
process DBRJ the CPU Program counter is assigned the 
?RESi^PT_ENTRT point in GSTWORK; the CPU Flag Control Word 
(Few) is initialized for the kernel domain? and the CPU is 
started. Because the Idle_VP is the lowest priority VP in 
the system, it will place itself hack in the ready state and 
move the f^emory Manager in the running state. The Memory 
Manager will execute an interrupt return because the 
interrupt return flag was set hy system initialization. 
There will he no Work for this kernel process so it will 
call WAIT to place itself in the waiting state. The next 
ready VP is idling, hut since it's ID1E_FIAG and PREEMPT 
flag are set, GETWORK will select it. It too will execute an 
interrupt return, hut because its PREEMPT flag is set, it 
will call TC_PREEMPT_HA.NDLER . This will cause the first 
ready process to he scheduled. Each time a supervisor 
process blocks itself, the next idle VP will he selected and 
the sequence will he repeated. 

The action described above is in accord with normal 
operation of the system. The only unique features of 
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initialization are the entry point (PHESi^PT-ENTHT : in 
GETWOP.K) and the values in the initialized kernel stack. 

The implementation presented in this thesis has been run 
on a Z0000 developmental module. System initialization has 
been tested and executes correctly. At the current level of 
implementation, no process multiplexing function is 
available. There is no provision for unlocking the APT after 
an initialized process has been loaded as a result, a call 
to the Traffic Ccntorller (viz., ADVANCE or AWAIT). In a 
process multiplexed environment this would cause a system 
deadlock. Once the process left the kernel domair with a 
locked AFT, no process would be able to unlock it. The 
Traffic Controller must handle this system initialization 
problem . 



90 



V. CONCLTTSION 



The implementation presented in this thesis created a 
security kernel monitor that runs on the ZSe£C Bevel opmental 
Module. This monitor supports multiprogramming and process 
management in a distributed operating system. The process 
executes in a multiple virtual processor environment which 
is independent of the CPU configuration. 

This monitor was designed specifically to support the 
Secure Archival Storage System (SASS ) [If 2, 3]. However, 
the implementation is based on a family of Operating Systems 
[4] designed with a primary goal of providing multilevel 
security of information. Although the monitor currently runs 
on a single microprocessor system, the implementation fully 
supports a multiprocessor design. 

A. nSCOMMENDATIONS 

Because the Zilog MMU is not yet available for the ZSC20 
Developmental Module, it was necesary to simulate the 
segmentation hardware. As explained in Chapter IV, this was 
accomplished by reserving a CPU register, H14, as a 
Descriptor Ease Register (DEB) to provide a link to the 
loaded addresss space. When the MMU becomes available, this 
simulation must be removed. This can be done in two steps. 
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7irst, the addressing format must be translated to the 
segmented form. This requires no system redesign. 

Second, the switching mechanism most be modified to 
accomodated to use the MMU. This can be done by modifyinf' 
the SWAP_D3H portion of GETW03K to multiplex the t^MU_IMAG2 
onto the MMU hardware and this can be accomplished by 
changing about a dozen lines of the existing code. 

B. Follow ON WORK 

Although the monitor appears to execute correctly, it 
has not been rigorously tested. Before higher levels of the 
system are added, it is essential that the monitor be highly 
reliable. Therefore a formal test and evaluation plan should 
be developed. 

An automated system generation and ini tialization 
mechanism is also required if the monitor to be is a useful 
tool in the development of higher levels of the design. 

Once the monitor has been proven reliable and can be 
loaded easily, work on the implementation of the Memory 
Mana^ter kernel process and the remainder of the kernel can 
Conti nue . 
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SYSTEM PARAMETERS 
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52 TYPE 

53 MESSAGE WORD 

54 ADDRESS WORD 

55 VP INDEX INTEGER 

56 MSG INDEX INTEGER 
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180 

181 ! LOAD FIRST READY PROCESS 

0066 5F00 0000' 182 CALL GETWORK 1(R1: VP ID)! 
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APPENDIX C 



ADVANCE Procedure (HANDLE, INSTANCE) 

Begin 

Call WAIT_LOCK (APT) 
f wake up ! 

PROCESS := EVENT_LIST_HEAD (HANDLE, INSTANCE) 

COUNT := MM_ADVANCE_COUNT (HANDLE, INSTANCE) 

! make ready ! 

Do while not end of READY LIST 
If PROCESS. COUNT <= COUNT THEN 
Call MAKE READY 
end if 
end do 

I initialize oreempt array ! 

Do for 7P_ID = 1 TO #NR_VP 
RUNNING_LIST [VP_ID] .PREEMPT := #TRUE 
end do 

! find preempt candidates ! 

CANDIDATES := 0 

PROCESS := READY_LIST_HEAD 

Do (for VP_ID := 1 to #NR_VP) and not end READY_LIST 

If PROCESS = #RUNNING TEEN 
RUNNING_LIST [VP_ID} .PREEMPT := #FALSE 
el se 

CANDIDATE := CANDIDATE +1 
end if 

Get neit ready process 
e nd do 
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I preempt candidates ! 



Do for VP_ID := 1 to CANDIDATES 
If RUNNING_VP [VP_ID] = #TRUE 
Call SET_VPREEMPT (VP ID) 
end If 
end do 

Call ¥AIT_UNL0CK (APT) 

Return 
End ADVANCE 



Then 



135 






oJ 1 «t <11 oQ 

mn • lai Tr,cJlwiM \i 
<<n V) xis^ 

It \ 



i50iinj_?ii¥ iu3 



ffiirtsS 
fDH|f9* iial 




AWAIT Procedure (HANDLE, INSTANCE, COUNT) 

Begin 

Call WAIT_L0CK (APT) 

VP_ID := RTJNNING_VP 

PROCESS := RUNNING_LIST [VP_ID] 

CURHENT_COUNT := MM_READ_COUNT (HANDLE, INSTANCE) 

If CURRENT_COUNT < COUNT Then 
Call THREAD BLOCKED LIST (HANDLE, INSTANCE, PROCESS) 
PROCESS .HANDLE := HANDLE 
PROCESS. INSTANCE := INSTANCE 
PROCESS. COUNT ;= COUNT 
PROCESS .STATE := #BLOCKED 



Call TC_GETWORK 
end if 

Return 

End AWAIT 
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